Changing the way IIS answers to PASV commands?

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Selroth (Selroth_at_discussions.microsoft.com)
Date: 09/18/04

  • Next message: Jeff Cochran: "Re: ftp site stopped- address already in use" 
    Date: Sat, 18 Sep 2004 16:49:09 -0700

    Running a Win2k (SP4) IIS 4 FTP server behind a Linksys router (or trying to).
    LAN IP address of server is 192.168.1.5
    LAN IP of router is 192.168.1.1
    LAN IP of my PC is 192.168.1.2

    First of all, I thank you for your time and effort.

    Now, I set up IIS and have gotten it to the stage where I can connect to it
    through my LAN, but not the WAN (Internet). There are two issues I'd like to
    address:

    Primarily, when I connect through the WAN (from 192.168.1.2 to
    192.168.1.5:21), send the PASV command, it replied with "227 Entering Passive
    Mode (192,168,1,5,4,90)." Perfect, I can do that. It works.
    HOWEVER, when I connect through the WAN, (from 68.35.78.247 to
    68.35.78.247:21), send the PASV command, it replies with "227 Entering
    Passive Mode (192,168,1,5,4,91)." But wait, I can't connect to that! It's
    giving me a local IP address when I need a WAN IP address. So, how do I tell
    IIS it's WAN IP address so people on the internet can connect,?

    Secondly, port 1024-4000~ are used for other things on my network, and I
    don't really want them to be FTP data ports. I found documentation that says
    you can add a registry key to the tcpip service with regedit. I did, but for
    one, it didn't have an effect on the PASV replies, and two, that's just the
    tcpip port range. Microsoft documentation also says the security risk of
    listing PASV ports sequentially has been fixed with SP4, but it wasn't; they
    still seem pretty darn sequential to me.

    Lil' help? And IIS 6 I tried a while ago and had the same problems (my PC
    is WinXP, but I don't have another legal copy of it so I have to use Win2k on
    my FTP server). Again, thank you. I eagerly await replies.

  • Next message: Jeff Cochran: "Re: ftp site stopped- address already in use"

    Relevant Pages

    • Re: Current status?
      ... The highest-priority MX record is the WAN ... which gets forwarded to the cluster alias. ... On my ROUTER, of course, not on my LAN. ... should be allowed to communicate with the outside world over port 25. ...
      (comp.os.vms)
    • Re: sonicwall port configuration
      ... It sounds as if you wish to keep the world out of your LAN... ... This blocks all traffic from the WAN to your LAN. ... ignore the port scans that you see logged. ... adding the rule "Deny File Transfer (FTP) LAN to WAN ...
      (comp.security.firewalls)
    • RE: Syntax to block TCP/UDP port 135-139 on D-Link NAT?
      ... Allow Allow to Ping WAN port WAN,* LAN,192.168.0.1 ICMP,8 ... By default dlink routers block all traffic from *,* to the LAN ... The Firewall rules control traffic between the lan and wan. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Linksys hacking?
      ... browser" on the standard HTTP port, ... LAN side management = 80/TCP connection via web browser ... WAN side locked down and would invite you to use any UDP ... >>on the WAN unless you have remote management enabled. ...
      (comp.security.firewalls)
    • Re: Wan to website conection problem
      ... Hi - please don't snip out all the quoted text in your replies; ... Don't open up port 80 traffic to your LAN at all. ...
      (microsoft.public.windows.server.sbs)